Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: AliceWonderMiscreations on February 23, 2016, 11:57:30 AM


Title: 0.12.0 and LibreSSL
Post by: AliceWonderMiscreations on February 23, 2016, 11:57:30 AM
bitcoin-core 0.11.3 allows --with-libressl but that seems to be gone from 0.12.0.

Is there a patch somewhere to add it back in?

Title: Re: 0.12.0 and LibreSSL
Post by: AliceWonderMiscreations on February 23, 2016, 12:21:54 PM
This is the error I am getting when attempting to build 0.12.0 w/o any configure switches used

Code:
In file included from addrman.h:13:0,
                 from init.cpp:12:
init.cpp: In function 'bool AppInit2(boost::thread_group&, CScheduler&)':
init.cpp:1081:61: error: 'OPENSSL_VERSION' was not declared in this scope
     LogPrintf("Using OpenSSL version %s\n", OpenSSL_version(OPENSSL_VERSION));
                                                             ^
util.h:77:39: note: in definition of macro 'LogPrintf'
 #define LogPrintf(...) LogPrint(NULL, __VA_ARGS__)
                                       ^
init.cpp:1081:76: error: 'OpenSSL_version' was not declared in this scope
     LogPrintf("Using OpenSSL version %s\n", OpenSSL_version(OPENSSL_VERSION));

LibreSSL 2.3.2

Title: Re: 0.12.0 and LibreSSL
Post by: achow101 on February 23, 2016, 12:37:17 PM
Allowing libressl was dropped several months ago. Read the commit message here: https://github.com/bitcoin/bitcoin/commit/59783884766d00866e190ba5ae761916e932df10 for the reasons why.

Title: Re: 0.12.0 and LibreSSL
Post by: AliceWonderMiscreations on February 23, 2016, 12:40:40 PM
Quote from: knightdk on February 23, 2016, 12:37:17 PM
Allowing libressl was dropped several months ago. Read the commit message here: https://github.com/bitcoin/bitcoin/commit/59783884766d00866e190ba5ae761916e932df10 for the reasons why.

That removes the check for LibreSSL, and implies that the scariness of LibreSSL no longer applies, it won't cause the consensus issues some worried about. Which I doubt would have been any worse than different versions of OpenSSL but...

Anyway thus it seems that it *should* build with LibreSSL and this is a bug.

0.11.2 builds against same version of LibreSSL no problem.

Title: Re: 0.12.0 and LibreSSL
Post by: AliceWonderMiscreations on February 23, 2016, 01:01:13 PM
Okay it looks like maybe the fix for that OpenSSL issue might be what caused this break with LibreSSL.

I'm convinced it is.

-=-

https://github.com/bitcoin/bitcoin/issues/7580

Title: Re: 0.12.0 and LibreSSL
Post by: Carlton Banks on February 23, 2016, 02:23:28 PM
Quote from: AliceWonderMiscreations on February 23, 2016, 12:40:40 PM
That removes the check for LibreSSL, and implies that the scariness of LibreSSL no longer applies, it won't cause the consensus issues some worried about. Which I doubt would have been any worse than different versions of OpenSSL but...

And different version of OpenSSL also have a moratorium out on them in respect of Bitcoin (and I'm surprised you don't know this, seeing as the only Red Hat/.rpm repo that ever existed ran into exactly that issue: using a version of OpenSSL that was "better", but contained different ECDSA code that broke Bitcoin nodes using it).

It's not about "worse" or "better", it's about "produces the same bugs".Yes, LibreSSL is likely a "better" crypto library than OpenSSL for general use, but the Bitcoin blockchain has contained signatures verified with OpenSSL long before LibreSSL even existed.



With 0.12 though, the only functions still handled by OpenSSL are the internal PRNG and AES256 for the wallet encryption. So the previous LibreSSL issues essentially don't exist for 0.12+, although there's very little functionality left for LibreSSL to be called for.

Title: Re: 0.12.0 and LibreSSL
Post by: AliceWonderMiscreations on February 23, 2016, 03:59:54 PM
Quote from: Carlton Banks on February 23, 2016, 02:23:28 PM
Quote from: AliceWonderMiscreations on February 23, 2016, 12:40:40 PM
That removes the check for LibreSSL, and implies that the scariness of LibreSSL no longer applies, it won't cause the consensus issues some worried about. Which I doubt would have been any worse than different versions of OpenSSL but...

And different version of OpenSSL also have a moratorium out on them in respect of Bitcoin (and I'm surprised you don't know this, seeing as the only Red Hat/.rpm repo that ever existed ran into exactly that issue: using a version of OpenSSL that was "better", but contained different ECDSA code that broke Bitcoin nodes using it).

It's not about "worse" or "better", it's about "produces the same bugs".Yes, LibreSSL is likely a "better" crypto library than OpenSSL for general use, but the Bitcoin blockchain has contained signatures verified with OpenSSL long before LibreSSL even existed.



With 0.12 though, the only functions still handled by OpenSSL are the internal PRNG and AES256 for the wallet encryption. So the previous LibreSSL issues essentially don't exist for 0.12+, although there's very little functionality left for LibreSSL to be called for.

The problem with the Fedora / Red Hat OpenSSL was related to the Red Hat legal team, Red Hat's OpenSSL only supports two or three ECDSA curves, they ripped a bunch out due to legal fears.

However this issue is resolved:

Code:
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)

Basically a fix for openssl 1.1 broke libressl because libressl uses a high OPENSSL_VERSION_NUMBER yet does not use the OpenSSL API from post fork.


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines